diff options
| -rw-r--r-- | usr.sbin/hoststated/hoststated.h | 7 | ||||
| -rw-r--r-- | usr.sbin/hoststated/relay.c | 4 | ||||
| -rw-r--r-- | usr.sbin/hoststated/ssl_privsep.c | 29 | ||||
| -rw-r--r-- | usr.sbin/relayd/relay.c | 4 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.h | 7 | ||||
| -rw-r--r-- | usr.sbin/relayd/ssl_privsep.c | 29 |
6 files changed, 44 insertions, 36 deletions
diff --git a/usr.sbin/hoststated/hoststated.h b/usr.sbin/hoststated/hoststated.h index c2b70e104f4..a93a426a0a6 100644 --- a/usr.sbin/hoststated/hoststated.h +++ b/usr.sbin/hoststated/hoststated.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hoststated.h,v 1.61 2007/09/25 08:24:26 pyr Exp $ */ +/* $OpenBSD: hoststated.h,v 1.62 2007/09/27 13:34:21 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -524,6 +524,9 @@ struct relay_config { struct relay { TAILQ_ENTRY(relay) entry; + int cert_fd; + int key_fd; + struct relay_config conf; int up; struct protocol *proto; @@ -736,7 +739,7 @@ SSL_CTX *ssl_ctx_create(struct hoststated *); void ssl_error(const char *, const char *); /* ssl_privsep.c */ -int ssl_ctx_use_private_key(SSL_CTX *, int, int); +int ssl_ctx_use_private_key(SSL_CTX *, int); int ssl_ctx_use_certificate_chain(SSL_CTX *, int); /* hoststated.c */ diff --git a/usr.sbin/hoststated/relay.c b/usr.sbin/hoststated/relay.c index 13544d9eb18..f11d2486fca 100644 --- a/usr.sbin/hoststated/relay.c +++ b/usr.sbin/hoststated/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.44 2007/09/25 08:24:26 pyr Exp $ */ +/* $OpenBSD: relay.c,v 1.45 2007/09/27 13:34:22 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -2068,7 +2068,7 @@ relay_ssl_ctx_create(struct relay *rlay) if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) goto err; log_debug("relay_ssl_ctx_create: using private key %s", certfile); - if (!ssl_ctx_use_private_key(ctx, fd, SSL_FILETYPE_PEM)) + if (!ssl_ctx_use_private_key(ctx, fd)) goto err; if (!SSL_CTX_check_private_key(ctx)) goto err; diff --git a/usr.sbin/hoststated/ssl_privsep.c b/usr.sbin/hoststated/ssl_privsep.c index ce332033694..8c01196a111 100644 --- a/usr.sbin/hoststated/ssl_privsep.c +++ b/usr.sbin/hoststated/ssl_privsep.c @@ -60,6 +60,7 @@ * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard . */ +#include <unistd.h> #include <stdio.h> #include <openssl/err.h> #include <openssl/bio.h> @@ -69,13 +70,12 @@ #include <openssl/pem.h> #include <openssl/ssl.h> -int ssl_ctx_use_private_key(SSL_CTX *, int, int); +int ssl_ctx_use_private_key(SSL_CTX *, int); int ssl_ctx_use_certificate_chain(SSL_CTX *, int); int -ssl_ctx_use_private_key(SSL_CTX *ctx, int fd, int type) +ssl_ctx_use_private_key(SSL_CTX *ctx, int fd) { - int j; int ret; FILE *fp; BIO *in; @@ -83,6 +83,9 @@ ssl_ctx_use_private_key(SSL_CTX *ctx, int fd, int type) ret = 0; pkey = NULL; + if (lseek(fd, 0, SEEK_SET) == -1) + return (ret); + if ((fp = fdopen(fd, "r")) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); return (ret); @@ -92,18 +95,13 @@ ssl_ctx_use_private_key(SSL_CTX *ctx, int fd, int type) goto end; } - if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - pkey = PEM_read_bio_PrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - } else { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, - SSL_R_BAD_SSL_FILETYPE); - goto end; - } + pkey = PEM_read_bio_PrivateKey(in, NULL, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); + if (pkey == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); + SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, + ERR_R_PEM_LIB); goto end; } ret = SSL_CTX_use_PrivateKey(ctx, pkey); @@ -125,6 +123,9 @@ ssl_ctx_use_certificate_chain(SSL_CTX *ctx, int fd) ret = 0; x = NULL; + if (lseek(fd, 0, SEEK_SET) == -1) + return (ret); + if ((fp = fdopen(fd, "r")) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); return (ret); diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 13544d9eb18..f11d2486fca 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.44 2007/09/25 08:24:26 pyr Exp $ */ +/* $OpenBSD: relay.c,v 1.45 2007/09/27 13:34:22 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -2068,7 +2068,7 @@ relay_ssl_ctx_create(struct relay *rlay) if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) goto err; log_debug("relay_ssl_ctx_create: using private key %s", certfile); - if (!ssl_ctx_use_private_key(ctx, fd, SSL_FILETYPE_PEM)) + if (!ssl_ctx_use_private_key(ctx, fd)) goto err; if (!SSL_CTX_check_private_key(ctx)) goto err; diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index fa7485e1a33..5456334f7cb 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.61 2007/09/25 08:24:26 pyr Exp $ */ +/* $OpenBSD: relayd.h,v 1.62 2007/09/27 13:34:21 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -524,6 +524,9 @@ struct relay_config { struct relay { TAILQ_ENTRY(relay) entry; + int cert_fd; + int key_fd; + struct relay_config conf; int up; struct protocol *proto; @@ -736,7 +739,7 @@ SSL_CTX *ssl_ctx_create(struct hoststated *); void ssl_error(const char *, const char *); /* ssl_privsep.c */ -int ssl_ctx_use_private_key(SSL_CTX *, int, int); +int ssl_ctx_use_private_key(SSL_CTX *, int); int ssl_ctx_use_certificate_chain(SSL_CTX *, int); /* hoststated.c */ diff --git a/usr.sbin/relayd/ssl_privsep.c b/usr.sbin/relayd/ssl_privsep.c index ce332033694..8c01196a111 100644 --- a/usr.sbin/relayd/ssl_privsep.c +++ b/usr.sbin/relayd/ssl_privsep.c @@ -60,6 +60,7 @@ * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard . */ +#include <unistd.h> #include <stdio.h> #include <openssl/err.h> #include <openssl/bio.h> @@ -69,13 +70,12 @@ #include <openssl/pem.h> #include <openssl/ssl.h> -int ssl_ctx_use_private_key(SSL_CTX *, int, int); +int ssl_ctx_use_private_key(SSL_CTX *, int); int ssl_ctx_use_certificate_chain(SSL_CTX *, int); int -ssl_ctx_use_private_key(SSL_CTX *ctx, int fd, int type) +ssl_ctx_use_private_key(SSL_CTX *ctx, int fd) { - int j; int ret; FILE *fp; BIO *in; @@ -83,6 +83,9 @@ ssl_ctx_use_private_key(SSL_CTX *ctx, int fd, int type) ret = 0; pkey = NULL; + if (lseek(fd, 0, SEEK_SET) == -1) + return (ret); + if ((fp = fdopen(fd, "r")) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); return (ret); @@ -92,18 +95,13 @@ ssl_ctx_use_private_key(SSL_CTX *ctx, int fd, int type) goto end; } - if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - pkey = PEM_read_bio_PrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - } else { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, - SSL_R_BAD_SSL_FILETYPE); - goto end; - } + pkey = PEM_read_bio_PrivateKey(in, NULL, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); + if (pkey == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); + SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, + ERR_R_PEM_LIB); goto end; } ret = SSL_CTX_use_PrivateKey(ctx, pkey); @@ -125,6 +123,9 @@ ssl_ctx_use_certificate_chain(SSL_CTX *ctx, int fd) ret = 0; x = NULL; + if (lseek(fd, 0, SEEK_SET) == -1) + return (ret); + if ((fp = fdopen(fd, "r")) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); return (ret); |